Workers Routinely Dodge Security Policies

Lack of Email Encryption

30% of respondents cannot encrypt email, a finding similar to last year's 28%. Furthermore, 33% of respondents are not confident in their company's email encryption policy.

Email Encryption Budgets

42% of respondents said their company will spend at least $10,000 during 2015 on email encryption.

Mobile Encryption Lacking

86% of respondents said their organization permits employees to use mobile devices for email, but of those who can encrypt email and allow email use on mobile, 36% cannot directly send and receive encrypted email from their mobile email client.

Smaller Organizations, Greater Email Risk

47% of respondents from small organizations said email encryption is not enabled on mobile compared to 31% for large organizations.

Lackluster Compliance Confidence

50% of respondents believe it is "somewhat likely" their company may be selected for a compliance audit within 2015. And 60% admit they are only "somewhat confident" their organization would pass such an audit.

Efforts to Reduce Risk

66% of respondents said their organization is training employees to improve compliance and security policy adherence.

How to Reduce Risk

43% said their companies use technology to monitor and report security risks. 50% said they are communicating more about their policies.

HIPAA/HITECH'S Longtail

70% of respondents said their organizations have a business relationship with a health care entity and also process Protected Health Information (PHI). 25% are either not a HIPAA business associate or were unsure if they are, however.

Unclear HIPAA Business Associate Agreements

HIPPA regulations define business associates as downstream entities, such as subcontractors, data backup companies and personal health record providers. 40% of respondents had either not been asked to sign a business associate agreement, or were unsure whether they had done so, putting health care entities they work with at risk for noncompliance.

A new study finds significant security risk occurring in the enterprise, with one-fifth of employees violating their company's compliance and security policies simply to get their jobs done. According to DataMotion's third annual survey on corporate email and transfer habits, companies increasingly put security and client compliance policies in place–90% of respondents this year compared to 81% last year. Yet one-third of the respondents said employees don't fully understand those policies. 44% admit that their policies are only moderately enforced. Three-quarters of respondents said employees violate policies at least occasionally. The study polled 780 IT and business decision makers in the United States and Canada, focusing on those who routinely work with sensitive data and compliance regulations in health care, financial services, education, government and other industries. The study also addresses HIPAA compliance. Bob Janacek, CTO at DataMotion, said "The data show a gaping hole in security when it comes to mobile devices–with many companies permitting their use but not taking into account their lack of email encryption capabilities."

Karen A. Frenkel writes about technology and innovation and lives in New York City.